Skip to content
Bizzi AI Governance Framework
Pillar V: AI Security · § 13

Platform security (ISMS)

AI security is not a separate stack. It sits on top of Bizzi’s platform Information Security Management System (ISMS), aligned to ISO/IEC 27001. The previous twelve sections of Pillar V describe what is added on top for AI-specific failure modes. This section names the ISMS underneath, so an auditor sees both the foundation and the additions in a single view.

Context

Section titled “Context”

AI controls do not stand alone. Access Token inheritance (§9) only works because the platform has trustworthy authentication. Data lineage (§5) only works because the platform has trustworthy storage and access controls. The Kill-switch (§11) only works because the platform has trustworthy change management. If any of those break, every AI-specific control above them breaks with it.

ISMS scope

Section titled “ISMS scope”

Bizzi’s ISMS covers the ten control families that ISO/IEC 27001 requires, plus the AI-specific augmentations Pillar V adds. The relevant families:

  • Security risk management. Risk register, treatment plans, periodic review.
  • Asset management. Inventory of systems with classification (Pillar IV §2).
  • Access control. IAM, MFA, RBAC. The foundation that Pillar V §9 builds on.
  • Cryptography. Encryption standards used across the platform (Pillar IV §3).
  • Network security. Segmentation, firewalls, VPN, zero-trust networking.
  • Operations security. Change management, monitoring, vulnerability management.
  • Supplier relationships. Vendor risk (Pillar II §6 builds on this).
  • Incident management. Process integrated with Pillar V §12.
  • Business continuity. DR plans including the Kill-switch (§11).
  • Compliance. Internal audit and external certification.

Key controls relevant to AI

Section titled “Key controls relevant to AI”

Five ISMS control areas matter most for AI features, because each one is the precondition for a specific Pillar V control above it.

Authentication

Section titled “Authentication”
  • MFA mandatory for every Bizzi employee with access to sensitive systems.
  • SSO integration for Enterprise customers.
  • Service accounts with automatically rotated credentials.

Network

Section titled “Network”
  • Zero-trust networking. No “trusted internal network.” Every request is authenticated end-to-end.
  • Service-to-service mTLS between internal services.
  • API gateway as the single ingress point, blocking unauthorised API access at the edge.
  • DDoS protection at the infrastructure layer. Complements the application-layer rate limits in §10.

Endpoint

Section titled “Endpoint”
  • Managed devices for employees with full-disk encryption and EDR.
  • No customer data on personal devices. Policy plus DLP enforcement.

Monitoring

Section titled “Monitoring”
  • SIEM collecting logs from every production system.
  • 24/7 SOC monitoring, internal or managed depending on plan.
  • Integrated alerting. The AI observability layer (Pillar IV §10) and the traditional SIEM are correlated, so an AI-specific anomaly and a platform-level event become a single incident.

Vulnerability management

Section titled “Vulnerability management”
  • Quarterly internal penetration tests.
  • Annual external penetration tests by an accredited party.
  • Bug bounty program planned for the v1.x roadmap.
  • CVE patch SLA. Critical within 24 hours, high within 7 days, medium within 30 days.

Data protection

Section titled “Data protection”
  • Encryption everywhere (Pillar IV §3).
  • Key management via KMS, with customer-controlled keys (BYOK) available for Enterprise.
  • Backup encryption plus offsite copies plus monthly restore tests.

ISO/IEC 27001 certification status

Section titled “ISO/IEC 27001 certification status”

Bizzi maintains an ISMS aligned to ISO/IEC 27001. The specific certification status (current certificate, scope, and certifying body) is provided to customers under NDA as part of due diligence. Public disclosure of certificate details is via the Bizzi Trust Portal and the Sub-processor registry.

ISO/IEC 42001 readiness

Section titled “ISO/IEC 42001 readiness”

ISO/IEC 42001 (AI Management Systems) is designed to sit on top of ISO/IEC 27001 (ISMS). Three statements describe our current position.

  • This document, BAGF v1.0, is structured against ISO/IEC 42001.
  • An internal ISO/IEC 42001 readiness assessment has been completed.
  • A formal certification roadmap is pending AI Board approval.

The specific certification timeline will be disclosed in the BAGF roadmap (Executive Summary §7) when confirmed.

Integration with Pillar V

Section titled “Integration with Pillar V”

The mapping from ISMS control to AI-specific augmentation is mechanical:

ISO/IEC 27001 controlAI-specific augmentation in Pillar V
A.9. Access controlAgent RBAC (§9), Access Token inheritance
A.10. CryptographyField-level encryption for PII
A.12. Operations securityADLC (Pillar IV §5-10), red-team cadence
A.15. Supplier relationshipsVendor LLM Zero Data Retention (Pillar II §6)
A.16. Incident managementAI incident playbook (§12), Kill-switch (§11)

Standards mapping

Section titled “Standards mapping”